Category: information sharing

Reclaim your data!

A new campaign launches on the 1st October in Europe to reclaim your data from the European police authorities.

Now in Europe, national police databases systems, the Schengen Information System (SIS) on immigration and border control, the files of Europol and more, are planned to be integrated following the Prüm Treaty and the so-called ‘Stockholm Programme’ (now in preparation for European Council vote in December this year).

As the organisers make clear, this does not just concern people convicted of any crime, but all immigrants, political protestors arrested at demonstrations, all the many entirely innocent people included on the UK’s National DNA Database – or any other national police database that includes data on the innocent, etc. What’s more, as a result of pre-existing (and originally secretly negotiated) agreements with the USA, the data will also be shared with the FBI and other US intelligence agencies.

So – first of all, protest! In what ever way you can. And secondly, as the campaign suggests:

“to anyone who would like to know what the police (think they) know about you, or simply to register your dissent, we recommend exercising your right to access your own data by sending a request for information to the relevant police authority in your country. The digest received in response will help to give us an idea of the full extent of police access to citizen data, as well as serving as a starting point for getting your data out of the computer systems, by legal or political means.”

Further details here (in English and German).

German-language document generator for data requests.

UK opposition plans to roll back ‘the surveillance state’

The Conservative Party Shadow Justice Minister, Dominic Grieve has launched a brief report outlining the opposition’s plans to introduce a new attitude to surveillance in the UK, and reverse many of the current Labour government’s policies. And it is mostly good, insofar as it goes. But, it is where it doesn’t go that is the problem.

The main measures include things we already knew, like a pledge to scrap the National Identity Register (NIR) and ID card scheme, and proposals to limit the proliferation of central databases and control the National DNA Database (NDNAD). However the Tories also want to abolish the Contact Point children’s database, restrict Local Government’s rights under the Regulation of Investigatory Powers Act (RIPA), strengthen the powers and functions of the Information Commissioner’s Office (ICO) and require mandatory Privacy Impact Assessment (PIA) for all new legislation or other state proposals.

So far so good – and these are all things I have proposed myself at various times – but there are also some very weak or pointless elements. First of all, the attitude to the private sector is predictably laissez-faire. Though the report includes a long list of the data losses that plagued the Labour government over the last few years, they fail to note how many of them involved private sector contractors or partners. And their only real mention of the private sector is to suggest that the ICO consults with industry on ‘guidelines’ and the possibility of introducing a ‘kitemark’ (a kind of stamp of approval). These are both pretty much worthless and tokenistic efforts. The Tories, as much as Labour, fail to appreciate that contemporary threats to privacy come as much from the private sector as the public. Unfortunately recognising and dealing with this would require a rather more robust attitude to private business than either of the UK’s two main parties are prepared to muster right now. This, I guess, is the reason why the Tories talk about ‘the surveillance state’ as opposed to ‘the surveillance society’ (the term used by ourselves and the ICO).

Secondly, there is no proposal to do anything to control or roll-back the most obvious and intrusive aspect of the UK’s surveillance society, the vast number of CCTV cameras and systems operated by everyone from the police down to housing associations and schools. In fact there is not a single mention of CCTV or public space surveillance in the report. Rather than missing an elephant in the room, this is more like failing to notice a whale in your bathtub…

Finally, there is the suggestion to introduce a right to privacy as part of a ‘British Bill of Rights’. Certainly what privacy means in British law needs to be clarified and strengthened, but actually this could be done through amending the existing Human Rights Act to make it better reflect the European Court’s already published views on the interpretation of Article 8 of the European Directive. Unfortunately, the Tories are stupidly ideologically opposed to doing anything to strengthen the HRA, and in fact their proposed ‘British Bill of Rights’ is a rag-bag collection of populist proposals that will instead replace the most progressive change to British law for some decades.

Finally, there is no mention of any changes to the pernicious Terrorism Act or Counter-Terrorism Act, that have further undermined the presumption of innocence and other longstanding foundations of British citizenship. There’s no mention of previous legislation that restricted traditional freedoms like the Criminal Justice and Public Order Act. In fact, there’s every reason to believe that the Conservative Party will be just as willing to clamp down on such freedoms in the name of the war on terror, or crime, or anti-social behaviour as the Labour Party, and no reason to suppose that they deal honestly with the underlying issues – which would mean, of course, telling people things that they don’t want to hear.

The full report can be found here.

Varieties of anti-surveillance activism in Japan

Although some progressive activists would like it to be otherwise, anti-surveillance feeling is not confined to the left, indeed in many countries, like the USA, libertarian individualist right-wing anti-surveillance activism is perhaps more common. And it seems that such a position is not unusual in Japan either.

Having returned from a weekend of hot springs, fine sake-tasting and eating way too much, today we met with the Mayor of the Suginami ward of Tokyo, Hiroshi Yamada, a prominent figure in the anti-juki-net campaign, and a also one of the leaders of a group of right-wing figures trying to promote a new nationalist grouping at that end of the Japanese political spectrum. But this new right is not at all a simple matter of ‘back to the 1930s’ that some commentators would have you believe. Yes, this group – which also includes the Mayors of major cities including Yokohama and Nagoya as well as popular journalists like Yoshiko Sakurai – has very conservative, revisionist views, on Japanese history, but in many ways they have far more in common with the new US libertarian right in their rejection of large state and high taxes, and in other areas too, for example Sakurai has rather unscientific views on climate change!

Part of the this libertarian outlook is the rejection of state intrusion into the private lives of individuals. Mayor Yamada saw the juki-net system as part of unwelcome movement towards a more top-down society, concentrating power at the centre. He was very clear that the state’s ability to collect information on the individual should be based on what the individual wanted to give up, not on what the state thought it needed (this is very much the opposite of what the Prime Minister’s IT Strategic HQ said to us last week). He was also most concerned about the risks posed by large databases, both as an attractive target to external hackers and to corrupt use from inside operators. Yamada is not opposed to what he calls IT shakai (IT society), but the use of IT should be based on what is useful to individuals, and of course what is actually he needed, he argued, would often be less expensive than the massive computerisation schemes favoured by the current administration as part of their i-Japan strategy. In this sense, he said he would oppose any move to unnecessary centralised databases and certainly to any possible national ID register or card.

In most respects, what Mayor Yamada said could probably have been said by any left-wing civil liberties activist in the UK, or by conservative right opponents of intrusive state like Conservative ex-Shadow Cabinet Minister, David Davis. Perhaps many aspects of what is felt to be wrong with surveillance society do not correlate neatly with old left-right divisions. This view was shared by Toshimaru Ogura, a Toyama University professor and major figure in left-wing anti-surveillance activism whom we met with just afterwards, along with campaigning journalist, Midori Ogasawara again. Just as the Convention on Modern Liberty event earlier in the year showed for the UK, there are many different varieties of anti-surveillance feeling in Japan, and whilst opponents may disagree with each other, and may even find other aspects of the politics of their erstwhile collaborators utterly distasteful, they do collaborate, even if it is only for short periods.

Professor Ogura’s analysis, as that of Ogasawara and indeed of Kanshi-no! whom we met the other day, is much more focused on the way in which surveillance excludes and discriminates – against union members, activists, gaikokujin (foreigners) and so on – and also the ways in which it favours the interests not just of the state but capital. We’ll be talking to groups who deal with the concerns of these excluded people in the last week we are here. Privacy is important, but Ogura’s analysis is concerned with the disproportionate effects of surveillance. It is not just that privacy is affected but that particular groups’ and individuals’ rights are damaged more than others, and those people are not generally the ‘ordinary taxpayers’ to whom Yamada and the libertarian right are trying to appeal.

Like me, Professor Ogura is also particularly interested in the way in which particular corporations and business coalitions pushing technological ‘solutions’ to social and organisational problems can have a profound influence the way government makes decisions. Such coalitions would still be there however large government was, and in some ways, without a government large enough to stand up to the private sector, a different kind of more purely market-driven surveillance society would emerge. In that sense, it is what government does, and to whom it responds, that is more important that more arbitrary questions of ‘size’.

There’s a lot more to consider here too, in particular the extent to which any of the things we consider under the umbrella of ‘surveillance’ are actually and actively part of some coordinated state (or other) plan. I’m starting to develop a sense of this here, but I will leave those thoughts to another post.

(Thank-you to Mayor Hirioshi Yamada, Professor Ogura Toshimaru and again, to Midori Ogasawara for being so generous with their valuable time).

At the IT Strategic Headquarters

Yesterday we visited the Prime Minister’s IT Senryaku Honbu (IT Strategic Headquarters). (This has actually been the only national-level government agency that has agreed to speak to us, and some of the reasons for refusal have been rather telling, not least that of Houmusho (the Ministry of Justice), which claimed that they had nothing to do with privacy and so on, which betrays a level of ignorance about the effects of their own policies that is probably more the result of bureaucratic sectionalism and literalism than anything else but is nevertheless interesting!). The IT Strategic HQ is responsible for developing the ‘i-Japan’ strategy, the latest incarnation of what has at various times been called ‘Information Society Japan’ and ‘e-Japan’ policy. They are also the agency that wrote the most recent Japanese data protection laws, which I wrote about a couple of weeks ago.

We were treated to a prepared presentation on the latest incarnation of the i-Japan strategy, in which the ‘i’ seems to stand for ‘inclusion’ and ‘innovation’ but not apparently for ‘interactive’, which one might expect from its use elsewhere in computing. However it was the brief interview we had afterwards that was more enlightening.

In short, the government has acknowledged that what they originally wanted out of juki-net has failed due to opposition, despite the supreme court victory that ruled that the current cut-down version was constitutional. However, as Kanshi-no! argued, they are not going to back down that easily. The movement towards the creation of centralised government databases will continue, and there most likely will eventually be a fully configured identification system (and card) and rather alarmingly, the new i-Japan strategy makes it quite clear that laws that currently prevent this from happening will simply be changed or removed. They do not want opposition groups, nor indeed the current global recession, to be able to hold up or change these plans.

However the main thrust of development of centralised databases has shifted away from juki-net and the jyuminhyo (residents’ registration) system, towards national insurance, health and pensions. This is, as the agency than runs juki-net, Lasdec, suggested to us – and I am now beginning to think that this suggestion was rather more of a loaded hint than I had first thought – by far the most data-rich area of government records and therefore in many ways more suitable for being the basis of an architecture of central registration and identification. The database that the government intends to create in this area will also have the possibility for citizens to add in (voluntarily, they say), information from private sources, such as bank account and other financial details. Of course this could be more ‘convenient’ in terms of benefits and taxes, but it also puts an enormous amount of previously private data in the government’s hands and presents a huge temptation to identity fraud and theft from both outside and, more importantly inside the state bureaucracy (and let’s not forget, most identity fraud is an inside job).

It gets more worrying still as despite the advanced stage of these plans, the government has apparently still not decided exactly who will have access to this database, and the police in particular, as well as private insurance companies, are still considered as potential users. It seems that although the IT Strategic HQ might have developed data protection in Japan but they do not appear to understand its principles of necessity, proportionality and consent – indeed I asked them about these principles and they really had no serious reply. Instead they claimed that people in Japan wanted to have these central databases because the current fragmented system had led to poor security and data losses, and in any case, ageing society and the pensions crisis meant this had to be done. I have noticed that in Japan, ‘ageing society’ like ‘terrorism’ in the UK, seems to have become the spectre evoked to silence potential criticism.

There are many other issues too: the government is also trying to introduce a voluntary system of Electronic Health Records (EHR), but this is not as developed as the Connecting for Health centralised database that is still experiencing significant problems in its introduction in the UK; and there are some rather less controversial social inclusion measures included the provision of computers for schools and so on. However my overall impression after leaving the IT Strategic HQ was of a government that was determined to press ahead with centralised collection and control of personal information regardless of the views of citizens or of whether it is really necessary even to achieve the policy aims they have. And this won’t change as the result of a change in government either. If, as seems likely, the Liberal Democratic Party (LDP or Jyuminshuto) are voted out, the Democratic Party of Japan (DPJ or Minshuto) which will succeed them, has already said that it will create a central database.

(Thank-you to the officials of the IT Strategic Headquarters for their time).

Tokyo Brandscaping and the SuiPo system

Brandscaping is a term used in marketing to describe the metaphorical landscape of brands (either for a particular brand, company or sector), however it is also being used by some researchers, including me, to describe the way in which brands are being infiltrated into urban landscapes, with the ultimate aim of being ‘inhabitable’ perhaps even 24/7 (see for example Disney’s move into urban development with Celebration in Florida).

Contemporary brandscaping makes use of new ambient intelligence, pervasive or ubiquitous computing technologies (‘ubicomp’) and ubiquitous wireless communications to create a landscape in which the consumer is targeted with specific messages directing them to certain consumption patterns. Such communication cans of course be two-way and provide corporations with valuable and very personal data on consumption patterns. As I’ve argued in many presentations over the last few years, ubicomp is necessarily also ubiquitous surveillance (what I call ‘ubisurv’ – hence the name of this blog!) because to work it requires locatability and addressability. Japan, and Tokyo in particular, has been the site for a number of cutting edge experiments in this regard, including the ‘Tokyo Ubiquitous Technology Project’ which embedded 1000 RFID tags which can communicate with RFID-enabled keitai (mobile phones) in upscale Ginza as well as several other pilot schemes around Ueno Park and Shinjuku.

TUTP is not all about marketing surveillance however, part of the scheme has involved ‘Universal Design’ (UD) principles, with one experiment to embed chips in the yellow tactile tiles designed to help guide sight- and mobility-impaired people around the city so that useful access information could be passed through specially-enabled walking sticks. I’m very interested in such experiments as they indicate an alternative direction for ubicomp environments which are about genuinely enabling people who are currently disabled by social and architectural norms, and creating a richer sensory landscape. They show that both surveillance and ‘scary’ technology like RFID chips can be humanised.

Unfortunately in our consumer-capitalist world (and Tokyo is the exemplary city of hyper-consumption), marketing and building brandscapes tends to take priority over enabling the excluded and the disadvantaged. But there are different ways of doing this too, which can be more or less intrusive and consensual. The other day I was talking about the growth in functionality of the Suica smart travel card system. Suica-enabled keitai can now, be used buying all sorts of things and since 2006 there have been a growing number of ‘SuiPo’ (short for ‘Suica Poster’) sites, Suica-enabled advertising hoardings that will, on demand send information to your mobile e-mail address with on particular advertising in which you are interested if you pass your Suica card or phone over a scanner placed next to the poster (see photos below)

The difference between SuiPo and the Ginza RFID scheme however is that it with SuiPo is that it is the consumer who makes the choice whether to activate any particular poster’s additional information system. In this sense it is a development of the i-Mode system in which many keitai can read information from special barcodes embdedded in magazine advertisements. It doesn’t automatically call your phone every time you pass an enabled poster, once you have signed up. Not as high-tech but slightly more consensual. However this will, of course, lead to the accumulation of a lot of data on consumption interests. This potentially generates a massive consumer surveillance tool, because it can be linked up travel patterns (your registered Suica card sends information back on where you go – I was wrong about the absolute differences between London’s Oyster and Tokyo’s Suica systems the other day) and information about consumption.

So will this potential become reality? The page on privacy and data protection on the SuiPo website (as usual the link is hidden away at the bottom of the front page!), is pretty standard stuff except for the legitimate purposes for which the data can be used once you sign up. They are, for those who don’t read Japanese, for:

  1. Sending the specific requested information to you;
  2. Improving services;
  3. Data processing and analysis;
  4. JR East’s promotional marketing; and
  5. JR East customer questionnaires.

Purposes 2 and 3 pretty much allow JR to do anything it likes with the data once you have signed up, and there is no statement as to what can or cannot be done with data once it has been ‘mined’ – analysed and transformed into more useful to the company or other organisations (corporate or state) which might want to buy or access such knowledge. ‘Ubisurv’ indeed…

A juki-net footnote

I had a conversation yesterday (not a formal interview) with Midori Ogasawara, a freelance journalist and writer who used to report on privacy issues for the Asahi Shimbun newspaper. This was mainly to set up further interviews with those who are or were involved with campaigns on surveillance and privacy issues in Tokyo. However I also managed to clarify a few of my own questions about juki-net and the opposition which it attracted.

In short, there seem to have been several objections.

  1. First of all was the objection to the idea of a centralised database, which was able to link between other previously separate databases.
  2. Secondly, there was the fact that this was the national state asserting authority over both local government and citizens. Both Local Authorities and citizens groups had argued for ‘opt-in’ systems, whereby firstly, towns could adopt their own policies towards juki-net, and secondly and more fundamentally, individual citizens could decide whether they wanted their details to be shared.
  3. The third objection was to there being a register of addresses at all. Many people saw this simply as an unnecessary intrusion onto their private lives, and in any case, the administration of welfare, education and benefits worked perfectly well before this (from their point of view) so why was such a new uniform system introduced?
  4. Next there were objections based on what was being networked. The jyuminhyo (see my summary from the other day) is not actually a simple list of individuals and where they live, but is a household registry. It might not, like the koseki, place the individual in a family line, but is still a system based on patriarchal assumptions, with a designated ‘head’ of the household, and ‘dependents’ including wives and even adult children.
  5. Finally, there was the question of the construction of an identification infrastructure. Whether or not juki-net is considered as an identification system, and it does have a unique identifying number for each citizen, and has the potential to be built on to create exactly such a comprehensive system of national identification. Lasdec, who we talked to the other day, may not approve of this, or believe it will happen, but they are only technicians, they are not policymakers and don’t have the power or the access to know or decide such matters. And in the end, if they are required by law to run an ID system then they will have to run it.
  6. There were, as I already mentioned, objections to the potential loss or illicit sharing of personal information. I don’t think this is intrinsic to juki-net, or indeed to database systems, but of course both databases and networks make such things easier. People are also quite cynical about promises of secure systems. Lasdec may say that that juki-net is secure, but there have been enough incidences of government data leaks in the past for people not to accept such assertions.
  7. Finally, Juki-net connects to the border, passport and visa system. The reason that foreigners will finally be included on the jyuminhyo (and therefore juki-net) from 2012 is not therefore to respond to long-term foreign residents’ requests for equal treatment but in fact to make it even easier to sort out and find gaikokujin, check their status, and deal with unofficial and illegal migrants. Groups campaigning for the rights of foreign workers (mainly the exploited South-East Asian and Brazilian factory workers) have therefore been very much involved. Of course it also makes it possible to connect the overseas travel of Japanese people to a central address registry.

I’ll be meeting Midori again soon, I hope, along with other researchers and objectors. I am also still hoping to be able to talk to officials from the Homusho (Ministry of Justice) and the Somusho (Ministry of Public Management, Home Affairs, Posts & Telecommunications), but they are are currently passing around my request to different offices and generally delaying things in the best bureaucratic traditions!

Identification in Japan (Part 2): Juki-net

As I mentioned yesterday, one of the big developments in state information systems in Japan in recent years has been the development of the jyuminkihondaichou network system (Residents’ Registry Network System, or juki-net). Very basically juki-net is a way of connecting together the 1700 (recently restructured from 3300) local authorities’ residents’ registries (jyuminhyo). These are a record of who lives in the area and where, that are held on a multiplicity of different local computer (and even still, paper) databases. Japanese government services are always struggling to catch up with massive and swift social changes, particularly the increased mobility of people, that made first the Meiji-era koseki (family registers) and then the disconnected local jyuminhyo (which were both themselves introduced to deal with earlier waves of increased social and spatial mobility) inadequate.

Operational from 2002, juki-net is restricted by law to only transmitting four pieces of personal data (name, sex, date-of-birth and address), plus a randomly-generated 11-digit unique number. Nevertheless, the system was strongly opposed and has sparked multiple legal challenges from residents’ groups who did not want to be on the system at all, and who considered the risk of data leakage or privacy violation to be too great for the system to be lawful. These challenges were combined together into one class-action suit, which finally failed at the highest level, the Supreme Court, in March 2008. The court ruled that juki-net was constitutional and there was no serious security risk in the system itself but according to some analysts did not address the possibility of mistakes being made by operatives. But this would seem to me to be a problem of data protection in general in Japan, rather than an issues that is specific to juki-net. Like Brazil, but unlike Canada and the UK for example, Japan has no independent watchdog agency or commissioner for safeguarding privacy or kojin deta (personal data), and other than internal procedures, the courts are the citizen’s only recourse. In any case, as Britain’s comparatively frequent incidence of data loss by public authorities shows, even having such a system does not necessarily make for better practice. There is in Japan, as in Britain, training and advice in data protection provided by a specialist government information systems agency.

We interviewed officials at that government agency, Lasdec (the Local Authorities Systems Development Centre) today. Lasdec also developed and runs juki-net and is responsible for the new jyuminhyo / juki-net card that enables easy access to local (and some national) services via the web or ATM-like machines at local government offices. Unsurprisingly they were quite bemused by the opposition to juki-net, which they say was based on a lack of understanding amongst citizens about what it was, and a general fear of computers and databases. They argued that many people (including one or two local authorities) had the impression juki-net was, or was planned to be, an extensive database of all personal information held by different parts of the government, or even was the basis for a new system of national identification or indeed was a new system of national identification – indeed that was the impression one got from reading both Japanese and foreign civil and cyber-liberties groups’ reports in 2002/2003 with plenty of stories of the new Japanese ‘Big Brother’ system (see the archived collection here for example).

However Lasdec argued that both ideas were incorrect. The officials recognised both that the 11-digit unique number was adapted from a previous failed identification scheme, and that juki-net could in theory become the basis for any proposed future national ID scheme, but this was prevented by the enabling law. In any case juki-net was not even the best existing system on which to base an ID system: passport, driving licence and healthcare databases all had more information and certainly information with higher levels of personal identifiability – and no-one seems to be objecting the amount of information contained on the driving licence system, for example. Juki-net has no photos or other biometric data and no historical information. Likewise the residents’ card can have a photo if the resident wishes, but this is not shared through juki-net, and in fact the card itself is entirely voluntary. In addition, only in one city has take-up of the card exceeded more than 50% of the adult population (Lasdec has detailed information on take-up but only published a ‘league table’ without percentages). You also do not lose anything by chosing not to have or use the card.

The officials at Lasdec were, as with many technical and systems engineers in both public and private sectors whom I have interviewed, far more aware of privacy, data protection and surveillance issues than most politicians and mainstream (non-technical) government officials. They did not shy away from the terms kanshi (surveillance) or kanshi shakai (surveillance society) and indeed were as critical of the unregulated spread of things like CCTV in public space as many activists. They saw themselves in fact as controllers of information flow as much as facilitators. They were committed to the minimalist model of information-sharing set out by the law governing juki-net and wanted to find always the ways that information that was necessary to be shared could be shared without the creation of central databases or the exchange of additional unnecessary information. In addition, new laws came into force (in 2006), which make the residential information more private than it was before. In fact, such local registers used to be entirely public (anyone could access them), and now they are far more restricted – this only seems to have been noticed by direct marketing firms, who of course were not 100% happy with this change.

This puts me into a strange position. I have colleagues here who have been utterly opposed to juki-net, and I have always assumed that it was in some way similar or equivalent to the UK National Identity Register / ID card scheme. However in fact, it seems very similar to the ‘information clearing house’ idea which I and others have proposed for the UK, in opposition to the enormous NIR which would seem to suck in every kind of state-held information on the citizen! In addition juki-net does not require any more information from the Japanese citizen than is already held by the state, again unlike the NIR in the UK, for which multiple new forms of information are being requested by the state and indeed there are fines, and ultimately prison sentences, proposed by law for refusal to give up or update such information. In contrast, juki-net is more like the electoral register in the UK, to which hardly anyone objects.

This all makes me wonder exactly what it is that provoked such vociferous opposition to juki-net. If it is a actually or potentially repressive surveillance system, somewhat like Barthes’ famous description of Tokyo, it is one with an empty centre; there is no ‘Big Brother’ only a rather well-meaning set of bespectacled technicians who are just trying, as they see it, to make things work better so that people don’t have to keep proving who they are every time they move to a new area. Perhaps there are particular cultural and political factors (that is after all the working hypothesis of this entire project – and perhaps in making assumptions about both systems and oppositions across borders we obscure the specifics). Perhaps it is the association of the 11-digit number with previous proposed ID schemes. Perhaps, as in Germany, in new government information systems, there are resonances with older systems of identification and control that hark back to more repressive, fascist, times. Or perhaps there is a general cynicism of successive government ‘information society’ / ‘e-Japan’ / ‘i-Japan’ strategies and initiatives, each of which promise empowerment and in practice deliver more bureaucracy. These are some questions I need to explore further with other officials academics and activists.

Data Protection in Japan

Comprehensive data protection in Japan is fairly recent. Until 2003, data protection was still governed under much two earlier ‘ information society initiatives: firstly, the Act for the Protection of Computer Processed Personal Data Held by Administrative Organisation (1988) and secondly, the Protection of Computer Processed Personal Data Act (1990), which are based on the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These laws were limited an applied only to the state, and within that, only to some national government organisations rather than all of them.

Lawyers and those concerned with privacy within and without government were well aware of these limitations, and in the late 90s, a special Privacy Issues Study Working Group was set upby the Electronic Commerce Promotion Council of Japan (ECom). This committee issued Guidelines Concerning Protection of Personal Data in Electronic Commerce in the Private Sector in March 1998. The Chair of that committee, Professor Masao Horibe, provides an account here.

Subsequently, a Personal Data Protection Legislation Special Committee was established in January 2000 under the Advanced Information and Telecommunications Society Promotion Headquarters (now the IT Strategic Headquarters), a body responsible directly to the Japanese cabinet. This body has issued all the laws and directions regarding IT, e-Japan etc.

The need to “protect personal data” (kojin deta) was mentioned in Article 22 of the Basic Law on the Formation of an Advanced Information and Telecommunications Network Society within the rubric of ‘security’. This was followed up by the e-Japan strategy of January 2001, which under the section on the Facilitation of E-Commerce, recommended that “Necessary legislative measures should be taken to win the confidence of consumers, including submission of a bill to protect personal data to the ordinary session of the Diet in 2001.”

The Bill was introduced in March 2001, but as a result of concerns about its effects on the freedom of the press, was left to fall by 2002. However the Personal Information Protection Bill was passed in 2003, one of five bills with implications for data protections to be passed in that Diet session.The bill came into force in 2005. I’ll discuss the content and operation of the bill later, but there’s a good summary in English from when the Bill was passed here.

The one particularly interesting thing to note here is that it doesn’t designate or establish any one body to oversee the operation of the law or the enforcement of rights, or deal with complaints as in European countries and Canada, for example, Instead it keeps data protection as an internal matter for designated government ministries (and for companies), with legal action an option if all else fails. The law is generally on the side of data flow and commercial / administrative convenience, which is not surprising given its origins in industry-led e-commerce promotion organisations.

MI5 in all kinds of trouble…

The British internal security service, MI5, has found itself in all kinds of trouble this week. First there was the report of the inquiry into the intelligence aspects of the 7/7 bombings in London. Although the report ‘cleared’ MI5 of wrongdoing (which was hardly unexpected!), it is clear that there was a catalogue of intelligence failures resulting from aspects as varied as a lack of funding, poor communication between MI5 and police, and simple mistake in judging the seriousness of the activities of those who came to the notice of MI5, particularly the two eventual bombers, Mohammed Sidique Khan and Shehzad Tanweer.

Then today, there have been serious allegations made in The Independent of the MI5 trying recruitment by blackmail on young British Muslims. Basically the modus operandi was to approach the potential informant and tell them that they were suspected of terrorist activities or terrorist sympathies, but that if they cooperated with MI5 then this would be overlooked. However if they refused then their ‘terrorist connections’ would be made more widely known.

All of this, as if it needed pointing out again, leads to the the clear conclusion that the security services need better and more transparent oversight, as well as clearer direction, and yes, perhaps more money (if they can behave themselves). The point is that properly controlled and justified targeted surveillance of genuine suspects (like Khan and Tanweer) is exactly what a security service should do, whereas mass preemptive surveillance (a la Met Police) or random blackmail is not. In fact the latter would tend to be counterproductive as in general, they will increase distrust in government and in particular, drive more young Muslims towards extremism.

Google: ‘give us data or you could die!’

I’ve been keeping a bit of an eye on the way that online systems are being used to map disease spread, including by Google. What I didn’t anticipate is that Google would use this as a kind of emotional blackmail to persuade governments to allow them as much data as they like for as long as possible.

Arguing against the European Commission’s proposal that Google should have to delete personal data after 6 months, Larry Page claims that to do so would be “in direct conflict with being able to map pandemics” and that without this the “more likely we all are to die.”

Google talk a lot of sense sometimes –  I was very impressed with their Privacy counsel, Richard Fleischer, at a meeting I was at the other week – and in many ways they are now an intimate part of the daily lives of millions of people, but this kind of overwrought emotionalism does them no favours and belies their moto, ‘don’t be evil’.

(again, thanks to Seda Gurses for finding this)